[cabf_validation] Validation WG meeting minutes 2019-10-10

Stephan Wolf Stephan.Wolf at Gleif.org
Sat Oct 12 01:49:57 MST 2019



Please see my remarks embedded in red. Hope this helps.





Von: Validation <validation-bounces at cabforum.org> im Auftrag von Doug Beattie via Validation <validation at cabforum.org>
Antworten an: Doug Beattie <doug.beattie at globalsign.com>, CA/Browser Forum Validation WG List <validation at cabforum.org>
Datum: Freitag, 11. Oktober 2019 um 20:58
An: CA/Browser Forum Validation WG List <validation at cabforum.org>
Betreff: [cabf_validation] Validation WG meeting minutes 2019-10-10


If I omitted anything or mis-represented your statements, please let me know.  This was one heck of a meeting to take minutes for.









Janet Hines







Tim H.




1.       Anti-trust statement


2.       Assign note taker



3.       Other ballots

Spring cleanup ballot:  Ryan: took over and received some comments.  Will take one more look and merge in changes. Push out draft ballot tomorrow.


Method 6: Doug to take a look at that soon.




4.       Further LEI discussion

The LEI discussions was very long and intense, so this is a summary of the key points by the primary participants in this discussion and I've omitted the details in order to get the minutes out in a more consumable format.



·         Provided concrete use cases (server to server) and never heard back, thus he didn’t believe there were any technical security issues with the approach
I said two distinct things. 
A) I gave a GLEIF use case. For all other use cases CAs should ask their customers. One example was given of a student’s plugin in the browser to retrieve data.
B) I asked Ryan several time if there were any security or technical issue associated with the inclusion of extensions. I never got an answer. The examples provide are of a different nature, e.g. concerns about validation, dependencies to 3rd party systems, etc. With regards to that I replied that this is the exact same with other EV related information such as business registry numbers. I concluded that there were no real security issues other than procedural concerns.

o    Ryan commented that this was a good example for where non publicly trusted certificates would sufficient.  More on this below

·         ETSI and ISO are both pushing developing technical standards for LEIs in TLS certificates in general

·         The question was raised if Ryan would suggest eliminating all identity information from TLS certificates. The answer was yes. This is not a discussion I could add anything. However, in case EV certificates continue to be used, the LEI adds an incredible value by providing an additional layer of trust, external verification becomes easier etc.

·         EV certificate data cannot change once issued, but LEI data can and thus will be more up to date and accurate. The LEI data can change outside the certificate e.g. in cases of M&A, bankruptcy etc.

o    Ryan said that if data can change in the certificates, then there is a risk because it can't be changed quickly and efficiently.



·         LEIs add more readability to the similar info that is in the EV certificate today, but extends it

·         How relevant is this consumption to the browsers?

·         LEI is at least as valuable as the EV information already

·         Gordon is working with some students to build a plug-in that pulls LEI number from the certificate and then displays the data to the user.  The intent is to help address the Stripe type issue

o    Ryan replied that this isn’t tied to TLS and that perhaps the right location for this additional data in in DNS, it’s data associated with the domain and not with setting up a secure TLS session.

·         Separating this data our of TLS certificates sounds all good and great, but this is going to take a long time to build out and get rolling

o    Ryan replied that it was quite the opposite.  Following the suggestions posted on the list, one could get this going more quickly than:

·         What does it mean when including this in TLS certificates

·         What is the validation process

·         Etc.


·         Ryan repeated this multiple times: The core question is not why LEI (there are lots of valuable use of this data), but the question is why in TLS certificates.  There needs to be compelling reason that it belongs there without introducing risk

·         What are the befits to the Root Stores that store the Roots vs. the risks for those (non-TLS specific) use cases that are not needed directly by the browsers

·         Every cert use not intended to interact with browsers introduces risks, and the goal is to remove all of these external risks.

·         The risk of external, non-browser based dependencies only increases over time, so to bring new fields and uses into TLS certificates needs to be very closely reviewed to be sure that the value is greater than the risk for the Root Store programs (Browses). 

·         One of the greatest risks to the Browsers' users: Challenge to being compliant with non-browser driven requirements and use cases.  Need to minimize to the maximum extent possible to limit harm to the browser community

·         There are risks to the eco system and more specifically to the browsers.  Browsers use TLS certificates for the purposes of securing browser to server sessions.  The additional of any more data into the certificates represents risks, technical risks

o    Slows down issuance and replacement because the data needs to be accurate and up-to date

o    Additional data can be added incorrectly and can result in misissuance which would have been otherwise avoided if the data was not present to begin with

·         Note the recent issues with states in certificates

o    Ryan has proposed alternatives to including data within the TLS certificates which he believes can be accomplished more quickly than by including similar data in TLS certificates

o    There are challenges when different users start using the browser root stores for unintended ways, for example:

·         SHA-1: Payment systems should have used non-public roots

·         1024 bit migrations were hindered by non-browser implementations 

·         Server to server should be private PKI 

·         One CA mentioned that shortening validity period of the TLS certificates would impact their customer who is using them for non- browser purposes.

·         There are numerous open questions about the inclusion of LEIs into certificates which will need to be address if the Why is answered.

·         In addressing the topic of X.509 and how this specifies the important organization attributes:

o    The structure of the subject DN of certificates was intended to be a pointer into an X500 directory where additional attributes could be obtained and used.

o    X500 directory's never materialized


·         The Root programs trust CAs for the purposes of enabling secure browser sessions and any additional reliance on TLS certificates for other purposes, or for conveying additional data increases risk without necessarily adding any value


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20191012/4301d44e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5394 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20191012/4301d44e/attachment-0001.p7s>

More information about the Validation mailing list